Lockscreen Bug Fix Conspicuously Absent in iOS 9 Update

Apple on Wednesday released the first update to its new iOS 9 operating system to clean up some bugs in the original version of the software.

Bugs addressed in the update, iOS 9.0.1, include a system freeze on the slide to update screen, alarms and timers that would fail to go off, and frame distortion in paused videos. One bug Apple didn't address allows an intruder to bypass a device's lockscreen.

Still, compared to some past versions of iOS, the latest version of the software is "very stable," said Tim Bajarin, president of Creative Strategies.

That's borne out in the latest crash statistics released by Crittercism. They show that the crash rate five days after release of iOS 8 was 3.3 percent, compared with 2.2 percent for iOS 9 for the same period.

Comparing iOS 8 to iOS 9 may not be entirely fair, however, because the jump from their predecessors differed.

"The difference between iOS 7 and iOS 8 was greater than the one between iOS 8 and iOS 9," said Kevin Krewell, principal analyst at Tirias Research.

"The software is very stable, and since I've been working with it, I haven't had any significant hiccups," he told TechNewsWorld.

Bugs Squashed Before Release

Two contributing factors to iOS 9's stability are the size of the software download and the length of time it was in public beta, Bajarin told TechNewsWorld.

"Past versions of iOS were about 5 GB in size. This one is less than 2 GB, so it's a much smaller code update," he said.

"Another reason it has fewer bugs is it has been in public beta for four or five months, so a lot of bugs were caught before it was released to the public," Bajarin continued.

"With any operating system, you're going to find bugs when it first comes out," he said. "The good news is, when they do it like this with a public beta, by the time it comes out, any bug is going to be minor."

Lockscreen Vulnerability

One serious unaddressed bug in iOS 9, discovered by Jose Rodriguez, allows an intruder to bypass a device's lockscreen and access photos and contacts on it.

Rodriguez, who also discovered a lockscreen bug in iOS 6.1.3 two years ago, posted a video to YouTube demonstrating proof that the OS' five-attempt lockout policy could be breached, and that Siri could be enabled from the lockscreen.

The technique apparently works only with four- or six-digit passcodes, according to AppleInsider.

Apple is no stranger to lockscreen bugs, as they were discovered in iOS 4, 6 and 7, too, it noted.

"These lockscreen vulnerabilities seem to be a trend for Apple when they release a new OS update, whether it be PIN codes or the fingerprint scanner," said Armando Orozco, a senior malware intelligence analyst for Malwarebytes.

"It boggles my mind how these trivial methods have been used to bypass lockscreen security," he told TechNewsWorld.

Convenience vs. Security

Allowing Siri to respond to voice commands before a device is unlocked is a feature that must be used with caution, advised Paco Hope, a principal consultant at Cigital.

"If you have Siri enabled from the lockscreen, you have to be careful what you enable it to do," he told TechNewsWorld. "That's always been the case."

Accessing Siri from the lockscreen is enabled by default. If it were turned off by default, it would make an iPhone more secure, but Apple may not want to do that.

"If you create really usable features but they have to be enabled manually, then nobody ever uses them," Hope said.

The lockscreen vulnerability came to light as Apple scrambled to purge an infestation of apps infected with malware.

"Every week it's another vulnerability in iOS," Trend Micro Chief Cybersecurity Officer Tom Kellermann told TechNewsWorld. "It's troublesome that more and more of these things are coming to light."